Where do you think IT guys are discussing web security ? (Tip, it might be next door…)

owasp_logo

In your town OWASP chapter. OWASP standing for Open Web Application Security Project. And there might certainly be an OWASP chapter closed to your office, as there are more than 200 chapters in 70 countries. The reason why I am blogging on that foundation is that last week the French OWASP chapter met in my employer’s offices. Gathering about 30 security experts or security-concerned people, the Paris meeting was fruitful and interactive. The French chapter leaders are Ludovic Petit (@Owasper), and Sébastien Gioria (@SPoint), supported by Ely de Travieso (@ElydeTravieso, yes, the one who already committed Secutic Day I reported in earlier posts). The objective of OWASP is to support the developers community with tools, code and documentation related to security. Web application and everything related to it. All this material is obviously available for free.

Great projects. During this meeting, new OWASP foundation projects were unveiled : a Top 10 related to cloud deployment [1], a revised version of Mobile Top 10 [2]. I can only recommend you to have a look at the OWASP website and analyse the different projects handled there. There might definitely have one which answers your most recent security question on web application (https://www.owasp.org/index.php/Main_Page).

Liability or how to avoid ending in jail. Another topic was discussed, a topic which is sometimes far from the developers working constraints : the liability. The complex question of ‘who is liable in case of software failure’ was addressed by Ludovic [3], based on its large experience related to fraud and legal aspects. The answer is quite simple : a developer can be liable for a piece of software creating damages (information leak, privacy damage, functional incident, …). The rationale behind is that the web application delivered are most of the time part of the IT systems, which are submitted to strict laws, such as guarantee that no incident could happen. Most off countries are requiring IT systems to be reliable when treating data such as integrity, availability, non-repudiation, and confidentiality. Obviously this does not mean that any developer will end in jail. It means that potentially, in case of problem, he will be challenged on the quality of the product, based on its skills and knowledge (if you are known as good but are coding with a lazy style, you might get into trouble).

Data privacy in Europe. The light was also made, during that meeting, on the recent progress of the European Community to deliver a law on the data privacy. This status was made by Thiébaut Devergranne, PhD in law, experienced developer and consultant. His message was quite direct :  European text will be a tool to attack any company missing to take care of data privacy [4]. This new regulation will be the same for all 27 European countries, and takes into account the aspects of internet, mobility, social media which recently reshaped all information systems and services. The other major changes compared to the EU previous directive issued in 1995 relies on the fact that (1) companies will have to demonstrate that they made a risk analysis related to data treatment, and (2) European commission will be able to tax up to 2% of companies turnover if they do not correctly implement the law. The most impressive aspects is that this law will be applicable to any company managing data of European citizen – including large software and service company located in the silicon valley. And last but not least, a new job will soon be hype: data privacy officer – similar to the Correspondant Informatique Liberté in France – required for every private companies larger than 250 people, or any company treating sensitive data.

The passionate discussion following that talk demonstrated how this could impact the life of companies… Stay tune on OWASP projects !

[1] OWASP Top 10 cloud project https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project

[2] OWASP Mobile Security Project, in collaboration with ENISA https://www.owasp.org/index.php/OWASP_Mobile_Security_Project, look at the Top 10 mobile controls

[3] French chapter leader presentation about OWASP projects and liability https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf

[4] Thiébaut Devergranne presentation about EU data privacy regulation [fr] http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen

One comment

  1. Many thanks for this post and feedback Virginie, much appreciated!

    @ All: Please feel free to ping Sebastien, Ely and myself if needed, we look forward to hearing from you guys. All comments are welcome.

    That said, would you like to discuss further about your context and wanna take a ride?

    Let’s meet up and have a chat together, OWASP rules!

    Talk to you s00n I h0PE.

    Best!
    Ludovic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s